MQTT-Explorer | round MQTT client that provides a structured topic overview

MQTT Explorer is built using Node.js and the MQTT library MQTT.js. As per this issue:

Node.js requires the IP address to be in the subjectAltNames for the cert and not in the CN. Maybe MQTT.fx isn't requiring that, but it should.

and:

If your server's certificate says CN=localhost in the Subject field, connect using localhost and not 127.0.0.1 and it should work. If it says CN=127.0.0.1, you have to make a new one because Node.js won't validate the IP address unless it's in the SAN extension. There is a way to work around it in code (I think it's an option called checkServerIdentity), but I would prefer to fix my certificate if I had this problem.

A rationale for the approach taken in Node is set out in this answer which includes the following quote from RFC2818: HTTP Over TLS :

In some cases, the URI is specified as an IP address rather than a hostname. In this case, the iPAddress subjectAltName must be present in the certificate and must exactly match the IP in the URI.

As you are using MQTT over TLS (as opposed to HTTP Over TLS) you could argue that the above does not apply but, given that the main use of the TLS library is for HTTP traffic, it makes sense that it confirms to the RFC by default.

You have a few options including:

• Use a hostname (e.g. localhost) rather then an IP when creating the certificate/connecting.
• Add the IP as a subjectAltName
• Modify the library to use a noop checkServerIdentity (see this answer).
• Use another application for testing (not really recommended as some applications will work and others will not). The issue quoted above mentions that MQTT.fx works.